v0.50.7

🌟 Release Highlights

This release focuses on smarter workflow updates, better enterprise/OIDC integration, and improved developer experience with clearer error messages and actionable guidance when things go wrong.

✨ What's New

• gh aw update now updates all third-party actions — Previously, force-updating to the latest major version only applied to actions/* core actions. Now all actions across every org are upgraded automatically (#18707, #18692). Use --disable-release-bump to opt out and restore the previous behavior.

• Automatic OIDC/vault permission detection — Workflows using OIDC-based secret managers (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, etc.) in safe-outputs.steps now automatically receive id-token: write permission — no manual configuration required (#18701).

• Firewall block guidance with fix snippets — When the AWF firewall blocks a domain during execution, the footer now includes an actionable code snippet and a documentation link so you can resolve it immediately, rather than just listing the blocked domains (#18676).

🐛 Bug Fixes & Improvements

• Codex policy violation errors now surface in step summaries — When Codex hits a cyber_policy_violation or similar API error, the failure is now clearly reported in the step summary instead of silently producing an empty log (#18699).

• Fixed noop missing from safe-output tools prompt — noop was registered in the MCP server but never listed in the (safe-output-tools) prompt, causing safe-output workflow failures. This is now fixed for all workflows (#18647).

• Fixed context is not defined in safeoutputs MCP backend — The create_pull_request and close_pull_request handlers could fail at runtime due to an unresolved context reference. This regression is now resolved (#18646).

• Fixed Codex tool calls missing from log entries — New-format Codex logs had tool calls detected but never added to logEntries, causing the common renderer to fall back to a blank output. Rendering is now correct (#18678).

📚 Documentation

• Simplified fine-grained PAT setup — PAT creation links now pre-fill the name, description, and permissions, reducing setup friction for new users (#18662, #18682).

🔧 Tool Version Bumps

• Claude Code 2.1.62, GitHub Copilot CLI 0.0.419, Codex 0.106.0, MCP Gateway v0.1.6 (#18669)
• All actions/checkout references upgraded to v6 (#18685)

---

For complete details, see CHANGELOG.

Generated by Release

---

What's Changed

• Fix smoke-trigger.yml startup_failure and missing secrets for workflow_call by @Copilot in #18629
• docs: add pre-filled URL parameters to fine-grained PAT creation links by @Copilot in #18662
• fix: include noop in safe-output tools prompt for all workflows by @Copilot in #18647
• Fix context is not defined error in safeoutputs MCP backend by @Copilot in #18646
• Enhance firewall blocked domains footer with fix snippet and docs link by @Copilot in #18676
• refactor(workflow): deduplicate logic, extract cross-engine helpers, fix interface bypass by @Copilot in #18671
• Fix Codex new-format tool calls missing from logEntries for common renderer by @Copilot in #18678
• docs: update fine-grained PAT repository access instructions for Copi… by @mnkiefer in #18682
• Upgrade actions/checkout to v6 across the repo by @Copilot in #18685
• chore: bump CLI tool versions — Claude Code 2.1.62, Copilot 0.0.419, Codex 0.106.0, MCP Gateway v0.1.6 by @Copilot in #18669
• fix: surface Codex model access blocked errors in step summary by @Copilot in #18699
• feat: update command always updates core actions (actions/*) to latest major version by @Copilot in #18692
• Auto-detect OIDC/vault actions in safe-outputs steps and add id-token:write permission by @Copilot in #18701
• feat: force update all actions to latest major version, add --disable-release-bump flag by @Copilot in #18707

Full Changelog: v0.50.6...v0.50.7